PCI Security Standards Council confirms April release for PCI DSS v3.1

iStock_000021638192Medium-900x599The PCI Security Standards Council (SSC) has announced that it will publish PCI DSS version 3.1 in April with the PA-DSS revision to follow shortly after.

In February, the PCI SSC announced that an inherent weakness in the SSL version 3.0 protocol has deemed it “no longer acceptable for protection of data”, as we reported in a blog post.

The follow-up statement dated 25 March 2015 confirms the following:

  • “The changes impact all requirements in the PCI DSS and PA-DSS that reference SSL as an example of “strong cryptography”. Specifically: PCI DSS Requirements 2.2.3, 2.3 and 4.1; and PA-DSS Requirements 6.2, 8.2, 11.1 and 12.1-12.2
  • “All PCI DSS and PA-DSS v3.0 documentation will be affected, including: SelfAssessment Questionnaires (SAQ), Attestation of Compliance (AOC), Report on Compliance (ROC), Attestation of Validation (AOV) and Report on Validation (ROV).
  • “When published, the revisions will be effective immediately but impacted requirements will have a sunset date to allow for organizations with affected systems to implement the changes.
  • “The revised standards will be accompanied by a summary of changes document for each standard, as well as supporting guidance to help clarify the impact of these changes, including interim risk mitigation approaches, migration recommendations and alternative options for strong cryptographic protocols.”

Recommendations

Until the publication of the revisions mentioned above, the PCI SSC “urges organizations to work with your IT departments and/or partners to understand if you are using SSL and determine available options for upgrading to a strong cryptographic protocol as soon as possible.”

Help with PCI compliance

As a PCI Qualified Security Assessor (QSA), IT Governance can help your organisation achieve and maintain compliance with the PCI DSS. Click here for more information on our PCI consultancy service.

Alternatively, email servicecentre@itgovernance.co.uk or call us on 0845 070 1750 to discuss your requirements.